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Abstract 


The standard Galois connection between the relational and 
predicate-transformer models of sequential programming (defined in 
terms of weakest precondition) confers a certain similarity between 
them. This paper investigates the extent to which the important in- 
volution on transformers (which, for instance, interchanges demonic 
and angelic nondeterminism, and reduces the two kinds of simulation 
in the relational model to one kind in the transformer model) carries 
over to relations. It is shown that no exact analogue exists; that the 
two complement-based involutions are too weak to be of much use; but 
that the translation to relations of transformer involution under the 
Galois connection is just strong enough to support Boolean-algebra- 
style reasoning, a claim that is substantiated by proving properties 
of deterministic computations. Throughout, the setting is that of 
the guarded-command language augmented by the usual specification 
commands; and where possible algebraic reasoning is used in place of 
the more conventional semantic reasoning. 


1 Introduction 


We adopt the familiar view that a semantic model for programming, and for 
the development of programs from specifications through designs to code, 
consists of a partially-ordered space. The elements of the space are de- 
signs expressed in code—‘programs’—and designs (including specifications) 
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expressed using more general ‘commands’. The partial order is that of 
(‘more-deterministic-than’) refinement. 

The two main semantic models for sequential programming, the re- 
lational model (see, for example, Hoare et al.’s [10]) and the predicate- 
transformer model (Dijkstra’s [5]), are congruent on programs—which we 
take to consist essentially of Dijkstra’s guarded-command language (loc. 
cit.). The congruence is established by the Galois connection consisting of 
the weakest-precondition function from relations to predicate transformers 
and its adjoint, relational projection, in the other direction. 

But the two models diverge with the incorporation of commands more 
general than programs, like partially-enabled computations (guarded com- 
mands), unbounded demonic nondeterminism and angelic nondeterminism 
(the work of Back [1], Morgan [14], Nelson [16] and Morris [15]). For example 
they handle angelic nondeterminism quite differently, and the transformer 
model is endowed with an involution that accounts for its quantitatively- 
better structure. Indeed transformer involution interchanges demonic and 
angelic nondeterminism (see Back and von Wright’s [2]), interchanges pre- 
condition and guard (the same authors’ [3]), reduces the two simulations 
required for completeness of data refinement in the relational model to a 
single complete rule in the transformer model (see Gardiner and Morgan’s 
[8] or de Roever and Engelhardt’s text [7]), and facilitates familiar Boolean- 
algebra style of reasoning (Back and von Wright’s [3]). 

So on one hand the binary-relation and predicate-transformer models 
share substantial similarities and on the other they exhibit important differ- 
ences. In this paper we investigate the extent to which the relational model 
retains vestiges of transformer involution, and how useful that is. 

We begin with a simple result: relations possess no equivalent of trans- 
former involution. That means, of course, that any attempt to define an 
involution by structural induction on relations must fail. But it leaves open 
the possibility of ‘weak’ involutions: functions on the relational model that 
satisfy merely some of the properties enjoyed by an involution. 

The first two putative weak involutions we consider are based on set 
complement in the relational model. Unfortunately both turn out to be 
too weak because they identify too many computations. So we consider the 
translation of transformer involution to relations using the Galois connec- 
tion, and call the result Galois star. It is better behaved than the previous 
candidates, but an experiment is required to determine whether or not its 
properties are strong enough to support the kind of reasoning that trans- 
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former involution permits on transformers. 

For that experiment we choose a topic that has emerged as a ‘bench- 
mark’ [5, 6, 13] for such kinds of reasoning (at least when restricted to 
the guarded-command language proper): the consideration of determinism. 
Extending that concept to partially-enabled computations, we distinguish 
deterministic, predeterministic and postdeterministic computations. A de- 
terministic computation terminates in each initial state with one (state- 
dependent) value; a predeterministic computation at each initial state ei- 
ther fails to terminate or terminates with one value; and a postdeterministic 
computation at each initial state either fails to be enabled or terminates with 
one value. (Note that some authors use ‘deterministic’ for our ‘predetermin- 
istic’.) Then a standard ‘test’ of a formalism for reasoning about computa- 
tions is the ease with which it is able to reason about preservation of deter- 
minism: if computations P and Q are predeterministic then so too is their 
sequential composition P g Q and their conditional if a — P [|] b > Q fi 
with disjoint guards a and 0; whilst the binary conditional P < b > Q pre- 
serves all three kinds of determinism. Reasoning in the transformer model 
was originally due to Dijkstra [5], then to Dijkstra and Scholten [6], and in 
the relational model with Tarski’s axioms to Maddux [13]. For comparison 
we also give a proof in the program calculus itself—without any particular 
semantic model. Such a step we regard as hugely preferable. Indeed one of 
the techniques promoted in this paper is algebraic reasoning about concepts 
normally handled semantically. 

The paper proper begins, in Section 3, with a summary of programs 
(the guarded-command language) and their more general commands. It 
summarises, in Section 4, the relational and transformer models and the 
Galois connection between them. It then proves, in Section 5, the absence 
of an involution on the relational model, considers the two complement- 
based candidates in Sections 6 and 7 before settling, in Section 8, on Galois 
star which is applied in reasoning about forms of determinism in Section 9. 
But first, notation must be established. 


2 Notation 


Pertaining to logic, we write: = for equals by definition; a: A to mean a 
is of type A; pred.X for the type of predicates on X, where predicates are 
Boolean-valued functions and substitution is functional application (possible 
because we consider predicates over only a single state space of Cartesian- 
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product type); formulae like Va: A - p in which the dot simply acts as a 
syntactic separator; p <b & q for the binary conditional, ‘p if b else q’; < 
for implication on predicates; and the infix relation it engenders we write 
instead =. 

Pertaining to binary relations: AB denotes the type of binary rela- 
tions from A to B and A—B the type of (total) functions from A to B; 
id[A] denotes the identity function on A; functional application is written 
‘’ (as in f.v) and associates to the left; composition of functions is written 
o (as in f og); binary relations are written in infiz (thus r relates a and 
b is written arb); (forward) relational composition, as well as sequential 
composition in the programming language, is written g (so that if binary 
relations f and g are actually functions then their forward relational compo- 
sition f ¢ g equals their functional composition go f); and relational image 
at a point is written r.(/a|) (and equals {y | ia:a-ary}). 

iFrom partial orders we need the following concepts. If (X,<) and 
(Y,<) are partial orders then a pair of functions f: X > Y andg: Y — X 
forms a Galois connection [17| means that they satisfy the equivalence 


fa<y=au<gy. 


A function f : X — Y between partial orders is said to be universally 
[positively] disjunctive iff 


Pov HVE |e Se} 


for all [all nonempty] subsets Y of X (and analogously for conjunctivity). 
Whilst it is very simple, the theory of Galois connections has substantial 
applications in program semantics [11] and software engineering [4]. Because 
it is one of those subjects that has been developed largely by folklore, we 
include in Section 4.3 a summary relevant to our needs. For more general 
book treatments we refer to the standards [9, 12]. 

The semantic denotation of a command P is written [P]. Two seman- 
tic models are considered (binary relations and predicate transformers). 
When confusion could arise by our use of the same notation for two distinct 
semantics, we clarify which is meant. 

More specific notation (like the healthy closure of a binary relation) is 
introduced as it is needed. 
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3 Command Calculus 


This section summarises the language this paper uses for describing ‘pro- 
grams’ (or ‘code’) and their generalisations ‘commands’ (or ‘specification 
computations’), and the laws they satisfy. Concepts like ‘deterministic’ and 
‘terminating’ that are normally applied just to programs (and defined se- 
mantically) are here extended to commands and defined algebraically. That 
enables us to reason algebraically about those concepts. 


3.1 Programs 


We denote by X the global state space of the programs under consideration; 
it is the Cartesian product of the types of the various program variables. 
The state of a program is thus denoted by a vector 7: X. 

The syntax of our version [10] of Dijkstra’s guarded-command language 
is summarised in Figure 1. Computation skip terminates without changing 
state and computation abort corresponds to divergence. In assignment, 
the state x: X is updated to take the value of the well-typed (well defined: 
terminating and single-valued) expression e. Sequential composition is stan- 
dard. Binary conditional is written P < b > Q to express P if 6 else Q, 
where 6 is a (totally defined) predicate on state. 

Demonic nondeterminism arises from abstraction of blocks defined at 
a lower level of abstraction together with the requirement for local reason- 
ing; it corresponds to a choice between its arguments whose resolution lies 
beyond the current level of abstraction. Recursion is modelled as least pre- 
fixed point. For simplicity we do not here include local block or procedure 
invocation. Refinement corresponds to removal of demonic nondeterminism, 
sothat PE Q = PNQ=P. 


3.2 Commands 


A computation that is a program, or code, is regarded as executable. The 
commands which extend programs are summarised in Figure 2. Extending 
the operators (and hence also the ordering) in Figure 1 to commands, the 
result is a partially-ordered space of computations that we denote £(X). 
Arbitrary demonic nondeterminism is infimum in the refinement order- 
ing and so extends the binary version expressed in programs. Empty de- 
monic nondeterminism is thus the greatest element of £(X): N{ } = magic; 
it refines every command and represents a computation which is never en- 
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skip no op 
abort divergence 
Zi=e assignment 
Font) sequential composition 
PabeQq binary conditional 
PNQ demonic nondeterminism 
LP recursion 


PEQ refinement 


Figure 1: Syntax for programs and the refinement pre-order. 


nP arbitrary demonic nondeterminism 
choose arbitrary assignment 
magic unenabled computation 

{p} assertion 

(p) coercion 

UP arbitrary angelic nondeterminism 


Figure 2: Syntax for commands (although an assertion is code). 


abled. Since arbitrary infima exist, so too do arbitrary suprema. Arbitrary 
angelic nondeterminism is supremum in the refinement ordering; empty an- 
gelic nondeterminism is thus the least element: L{ } = abort. 

For a predicate b on state space X , the computation assert b skips if 
b holds but otherwise fails to terminate: 


{b} = skip < b.c > abort; (1) 


thus it is actually code. Computation coerce b skips if 6 holds but otherwise 
is not enabled: 


(b) = skip < b.z D> magic. (2) 
The computation choose terminates in an arbitrary state: 
choose = [{xz:=y|yEx}. (3) 


When the state space is infinite that is not code. The computation neq 
terminates in a final state different from its initial state: 


neq = M{z:=y|y # 2} (4) 
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where 2 denotes the initial state and the predicate y 4 2 is a finite conjunct 
if the state space is finite. 

The important computational concepts of termination, enabledness and 
determinism are expressed algebraically as follows. Suppose that P is a 
command and 1%: X is a state. Then P aborts at zo iff the computation 
might not (equivalently ‘will not’ in the standard (Hoare/Dijkstra) model 
we follow here) terminate there 


{zt =a}3 P = abort. 
Command P is enabled at x iff it may (equivalently ‘does’) begin there 
(t=%)3P # magic 
which is equivalent (in view of Law (17) to follow) to 
(t = 2%) Pg abort = abort. 


P terminates at x) means that it is enabled but does not abort there. 

Computation P is deterministic at x means that P is enabled there 
and terminates in only a single final state. To define that term: command 
P is co-atomic at 2 iff at 2%, P does not equal magic and no commands 
lie strictly between P and magic 


(x=) 3P # magic (5) 
VR:L(X)- (x =%)3 PCR => R=magic. (6) 


Then P is deterministic at xo iff 
Vayp:X + (x =1%) 28 P_ is co-atomic. 


Command P is postdeterministic at zo iff either it is not enabled there or it 
terminates in only a single value: 


Vap:X +(x =%)3 PAmagic > (r=) P is co-atomic. 


Finally P is predeterministic at xp iff it is enabled there and either does not 
terminate or is deterministic: 


Vag:X - (t = 1) 9 P # magic 


x 
{tz =a}¢P#abort = («£ =.) P is co-atomic. 
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A command is terminating [always-enabled, deterministic, predeter- 
ministic, postdeterministic] means that it is terminating [enabled, deter- 
ministic, predeterministic, postdeterministic] at each initial state 1. In 
particular a command is deterministic iff it is predeterministic and postde- 
terministic. Code is always enabled; and the celebrated loop rule ensures 
termination of code in the form of an iteration. But magic, for example, is 
not enabled (hence) not terminating, but is postdeterministic. It is conve- 
nient to keep in mind that in the transformer model (at least), enabledness 
plays for commands a role dual to that which termination plays for code. A 
consequence of our interest in relational involutions is the extent to which 
that remains true for the relational model. 


3.3 Calculus 


The language £(X) has the algebraic structure summarised in Figure 3 
(which does not claim to list all laws). 

Commands abort and magic are not zeroes on both sides for sequen- 
tial composition, for that would imply their degeneration (to the same com- 
mand). Nor does sequential composition distribute demonic nondetermin- 
ism and angelic nondeterminism on both sides. Nonetheless under demonic 
nondeterminism and sequential composition, £(X) forms what might be 
called a pre-quantal (by comparison with the definitions in Rosenthal’s text 
[18] on quantales): the M of arbitrary subsets exists and sequential compo- 
sition is associative with an identity, skip; also sequential composition dis- 
tributes arbitrary demonic nondeterminism in its left-hand argument, and 
distributes nonempty (the reason for the ‘pre’) demonic nondeterminism in 
its right-hand argument. 

In spite of the failure of sequential composition to distribute angelic 
nondeterminism, £(X) forms a complete lattice in which each command 
is the angelic choice of the compact commands? it refines. But equality 
holds in refinements (14) and (16) if each command being distributed is 
predeterministic. 

The operators of sequential composition and binary conditional are 
monotone in each argument. 


3A command is compact if it aborts outside a finite set (on part of which it may, of 
course, be unenabled; by comparison, a compact program aborts outside a finite set but 
is everywhere enabled). 
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skip) forms a pre-quantal 
= {P3:R|PeP} 
{P3Q|QeQ}, if Q nonempty 


(£(X),C) forms a complete lattice and a domain 


with maximum magic and minimum abort 


magic 3 R 
P 3 magic 

(UP) 3 Q 
abort 3 Q 


magic 


magic, if P always terminates 


abort 


Ps: (UQ) 
Pg abort 


(Pabeb Q)NR 
(Pabe Q)UR 
(Pab>Q)sR 

PabeQ 


abort, if P always enabled 


(PNR) abe (QNR) 
(PUR) J b> (QUR) 
(PgR) db> (Q¢3 R) 
{b}g PU {7b} 3 Q 
(0)3 P11 (4d) 3 Q 


ri=foe 


Figure 3: Laws for the language CL. 


{P3: Q|P€Q}, = if all P are predet. 


{Ps Q|Qe€Q}, = if all Q are predet. 
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4 Program Semantics 


This section summarises the relational and predicate-transformer seman- 
tics of £(X) and the (Galois) connection between them. In each case the 
semantics yields a pre-quantal-right module. 


4.1 Relational Semantics 


In this section we give the relational semantics of the language L(X) , first 
for code. Each command is represented as a relation from initial states to 
the final states attainable from each initial state. 


4.1.1 Relations 


The state space augmented with the improper state | (representing non- 
termination) is denoted X, = X U{1L}. As usual we treat X, as the 
flat domain X augmented with least element |. The improper state _ is 
not part of the programming notation and it is not a value which can be 
assigned to the global variable. It is simply a semantic artifact, enabling 
nontermination to be distinguished from arbitrary termination. 

We write relations in infix, and use the convention that, for a relation 
e with domain X and range X_,, e, denotes the relation on X 1 


Ch = Se ee. 


The semantic space for the relational semantics is the subspace of re- 
lations on X, that are strict and whose relational images are upclosed 


R(X) = {d:X eX, |(ldl) A («dlLsd(z)=xX_)} 


with the inclusion ordering D for ‘more-deterministic-than’ refinement (since 
multiple-valuedness of a relation captures demonic nondeterminism of the 
command it represents). 

It is readily confirmed that (R(X),>D) is a domain and a complete 
lattice with least element X, x X,, greatest element { }, and compact ele- 
ments the relations which are cofinite subsets of X, xX, ; moreover it is a 
Boolean algebra under the usual set-theoretic complement. 

The healthy closure of any relation r on X_ is given by the value at r 
of a function h : (X,@~X,)—-R(X), characterised by: 


tiene = A] rl) wer): 
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[skip] = id[X], 
[abort = XxX, 
Ix:=e] = (C(s,e.2)|2 EX A e.x terminates}) 1 
[Ps Q] = [P]3[Q 
[Pb Q] = {(,y)|2[Ply ab20 2[Q]y} 
[PQ] = [PIvIal 
[ul] = U{d|F.d>d}, F monotone on code 


Figure 4: Relational semantics of code. 


Furthermore r is called healthy if h.r = r. Evidently h is well defined, 
increasing (r C h.r), monotone with respect to inclusion on both sides 
(rCs = h.r Ch.s) and h.r is the smallest healthy relation containing r. 


4.1.2 Semantics 


The relational semantics ascribes to each command P a relation [P]:R(X). 

The semantics of code is given in Figure 4. Denotations of code satisfy 
this healthiness condition: for each x: X the relational image d.(| x |) is 
nonempty and either finite or all of X,;. The subspace of such healthy 
relations forms a domain with least element X, x X,, maximal elements the 
(total) functions and compact elements the members for which only finitely 
many elements of X are not related to every element of X_. In the definition 
of recursion, the function F is defined on that healthy subspace of R(X) 
and the relation d ranges over it. 

The semantics of commands is given in Figure 5. They satisfy as 
healthiness condition just the defining condition of R(X). Evidently the 
space R(X) contains the space of denotations of code. However the in- 
jection fails to form the embedding in a Galois connection. Otherwise its 
companion projection would map the maximum { }) : R(X) toa maximum 
denotation of code; but no such denotation exists. So the two spaces have 
an uneasy relationship, compared with the corresponding domains in the 
predicate-transformer semantics. 


4.2 ‘Transformer Semantics 


A command may be viewed as a predicate transformer in two, adjoint, ways. 
We follow (Dijkstra’s) tradition and consider it as a function from postcon- 
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[ns] 
[magic] 
Lod] 


[¢))] 
[Us] 


U{[S] |S € S} 

{a 

{rg ik xX. ba Sea aghi 
(Et RI bee ks 

N{]S] | SES} 


I) Ip Ib Ib ID 


Figure 5: Relational semantics for commands. 


ditions to preconditions: postcondition gq is mapped to the precondition true 
at just those states from which the command is certain to terminate in a 
state satisfying p: the weakest precondition of the command evaluated at 
g. (The possibility of demonic nondeterminism is responsible for the word 
‘certain’.) 


4.2.1 Transformers 


Each such function is monotonic under the usual ordering on predicates: a 
weaker postcondition engenders a weaker weakest precondition. We write 
(pred.X,<) for the space of all predicates (Boolean-valued functions) on 
X under the implication (pointwise) partial ordering. The space for the 
transformer semantics is then the space of all functions on that space that 
are monotone 


T(X) = {t:pred.X — pred.X |Vq,r:pred.X -q<r>tq<tr}, 
ordered by the pointwise lifting of the order < on predicates 


t<u = Vgaq:pred.X - t.q<u.q. 
Thus t is refined by wu iff for each postcondition q, the weakest precondition 
of t at qg is at least as strong as the weakest precondition of u at gq; whenever 
t achieves gq so too does wu. 

Because the order on T(X) is the lifting of implication, least upper 
bounds and greatest lower bounds of arbitrary sets exist pointwise. So 
(Z(X),<) is readily seen to be a pre-quantal, a complete lattice and a 
domain. 
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[skip] = id[pred.X] 
abort] = false 
[x :=e].qg.2 = qe) (= gle/z}) 


P3Q] = [P]o([@] 
[Ps bce Q] = [P]<bc [Q] 
PNQ] = [PAT 
[uF] = V{t:T(X)|F.t >t}, F monotone on T(X) 


Figure 6: Transformer semantics of code. 


[ns] = A{[S] |S €S} 
[magic] = true 
[{o}]¢ = bAgq 
[(o)l.¢ = b=>¢q 
[Us] = v{[S] |S €S} 


Figure 7: Transformer semantics for commands. 


4.2.2 Semantics 


The transformer semantics ascribes to each command P a predicate-transformer 
[P] in T(X). 

The semantics of code is given in Figure 6. Denotations of code satisfy 
Dijkstra’s healthiness conditions: the transformer is positively conjunctive 
and <-continuous. 

The semantics of commands is given in Figure 7. The healthiness 
condition is simply monotonicity, the defining property of T(S). 


4.2.3 Involution 
For transformer t : T(X), its involute t* : T(X) is defined: 
ig: Lg 


Involution plays an important role in transformer semantics: it is useful 
for calculation because it obeys de Morgan’s laws, interchanging demonic 
and angelic nondeterminism; it provides a duality (as a result) between ter- 
mination and enabledness; it converts one of the two simulation conditions 
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necessary in the relational model for data refinement to the other, thus en- 
suring that one simulation condition is alone sufficient for data refinement 
in the transformer semantics. Its properties are: 


Theorem 1 Jnvolution is well defined on (T(X),<) and satisfies 


t monotone = _ t* monotone (24) 

tt = ¢ (25) 

false* = true and true* = false (26) 

(our <S. ea (27) 

(id(T(X))* = ia{T(X)] (28) 

vou = tiw (29) 

Goa) = Lie sand ‘(lra) ar rae (30) 

(yr = Ut") (31) 

t [universally] conjunctive =  t* [universally] disjunctive. (32) 


4.3 Galois Connection 


The function wp: R(X) — T(X) is defined, for a relational computation 
r:R(X), postcondition q:pred.X and state 7: X: 


worn = Vox 7 ery = (yl ay): 


That says, as it ought, that wp.r.q holds at just those states from which 
termination is ensured, in a state satisfying q. The consequent can be sim- 
plified: since the domain of q is X , q is not defined at 1; so the first 
conjunct can, in the presence of the type statement y: X, and the under- 
standing that =(q. L), be omitted: 


wp.r.gt = Vy:XL-@rry>qy. 


Verification that wp is well defined (that wp.r is monotone) is immediate. 
It is also routine to show that wp is universally (U, >)-junctive, z.e. from 
(R(X), C) to (T(X), >). Thus wp has an adjoint, called the relational 
projection, rp, that can be defined as follows. For t: T(X), rp.t is the 
relation on X, defined to be strict and to satisfy, for ©: X and y:X_, 


e(rpa)y = Va:pred Xx * 1.4 => 4, 


again with the convention —=(q. L). In particular rp.false = X,xX_. 
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Adjunction means that 
t<wp.r = rCrp.t (33) 


so that the functions wp and rp form a Galois connection between the 
relational and transformer spaces with their orders reversed: from the space 
(R(X), C) to the space (T(X), >). 

Standard theory [17] shows that the Galois connection preserves much 
of the structure on the two semantics models, except for angelic nondeter- 
minism. Gathering the (elementary) properties we need, in spite of some 
being consequences of others: 


Theorem 2 The Galois connection satisfies 


rcs => wpr>wop.s (34) 

t>u => rp.t Cwp.u (35) 

rpowp = id[R(X)] (36) 

id{T(X)| < wporp (37) 

wp.(rgs) = (wp.r)o(wp.s) (38) 

wp. idx Ji) = d(T (X)| (39) 

rp(tou) = (rp.t)s (rp-x) (40) 

rpadtT(X)) = adlX]s (41) 

VU CT(X)-rp.vU = Nrp.U) (42) 

WICC DX). ep AG Ss ep (ol) (43) 

rire =f y5 (44) 

rp.false = X,xX, (45) 

VS CR(X) - wp.(US) Awp.( S$) (46) 
wp.(X_xX1) = false (47) 

wp.{}1 = true (48) 

VS CR(X)- wp.(ns) > Vwp.(S)) (49) 


The fact that inclusion (49) may be strict indicates why the embedding 
wp cannot be used to lift angelic nondeterminism from relations to trans- 
formers. Otherwise, the transformer semantics (Figures 4 and 5) is obtained 
from the relational semantics (Figures 6 and 7) under wp. 
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5 No Relational Involution 


In this section we establish that there is no function on R(X) satisfying the 
minimum requirements of an involution—as exhibited by * on transformers. 
Henceforth, semantic brackets refer solely to the relational semantics. 


Theorem 3 There is no function * on R(X) that is involutive, obeys ei- 
ther of the De Morgan laws and distributes sequential composition, i.e. that 
satisfies 


(a) Vr: R(X) er" =r 


(b) either Vr,s:R(X) - (rus)* =r*s* 
or WrsesRX)  Onsyfarus 


(c) Vr, s:R(X)- (rg s)*=r*g s*. 


Proof: We argue by contradiction, establishing an untenable identity. 
First we observe that Assumptions (a) and (b) are sufficient to establish the 
equivalence of the two De Morgan laws in Assumption (b): 


(d) (ris) Sa" Us = (rUs)*=r*ns*. 
The proof is trivial: if the first De Morgan law holds then 


(rf1s)* 


Assumption (a) 


= Assumption (b) 


= Assumption (a) 


rls 


so that the second De Morgan law holds, and the result follows by symmetry. 
Now for relations 


PS (RL). Se tres) MAG et). (50) 
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But in the light of the calculation above, that is inconsistent with the poten- 
tially strict Law (16), because from (50) we can infer, for any r,s, t:R(X), 


re(sUt) = (rgs)U(regt). (51) 
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Indeed 


= Assumption (a) 


= Assumption (c) 


= Assumption (b) 


_ Law (50) 


= Assumption (c) 


= Assumption (b) 


= Assumption (a) 


It remains to demonstrate that Claim (51) fails, for which a simple 
example suffices. Considering X = {0,1} with 


oS {(0, 0), (0, 1)}a 


s = {(0,0) fi 
t = {01,0}, 


we find 


rg(sUt) = {} c {(,0)} = (rg s)U(rgt). 
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As an application of our theme—the investigation of the extent to which 
reasoning that is normally done semantically can be done algebraically— 
the following corollary lifts that counterexample, and hence the theorem, to 


R(X). 
Corollary 1 Theorem 3 holds in any R(X) where X has at least two ele- 
ments. 
Proof: In the previous proof, only the counterexample used semantic 


reasoning and hence needs to reworked in R(X). Without loss we assume 
that X has exactly two elements (otherwise the following construction can 


be embedded within X). 


Consider doubleton state space X = {29, x} and computations 


R 
S 
T 


I|> 


I|> 


We claim that: 


(R 3 


(eto) 2 = 1p Naa) 
(x = 2) 
ha SE ay) 8 a ay 


For Claim (52), we reason 


SuUT 


SUT = magic (52) 
S)U(Rg T) = S$ (53) 
Re(SUT) = magic. (54) 
definition 


Crag) We) aa) SG 


definition of coercion 


skip < % = 1% > magic 


LI 


(skip < « # % > magic) g x := % 


Law (20) 


skip < « = 1% > magic 


L 


(skip 3 x := 2%) J © # 1% D (magic g x := %) 
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= Laws (7), (12), calculus 


skip < % = 1% > magic 
L 
magic J t=% > t:= 2 


= Law (19), calculus 

(skip Ll magic) < x = 1% > (magic LI x := 2%) 

a Law (11) 

magic <] © = % > magic 

= calculus 

magic. 

For Claim (53) we show (R g S) = (Rg T) = S and, since each is 
similar, we prove just one equality: 

Res 

= definitions 


(f=) 2 @ = ag NacH= a) 4a — x) 


definition of coercion 


= Laws (20), (7), (9); (12) 
((a := ae := 2) J £ = 2% D> magic) g 
skip <| = 1% > magic) 
a Laws (20), (12) again 
(a := 2 1x := 2) ¢ (skip < « = a > magic) 
d@r%=%x% Pe 
magic 
— Law (8) 
( (& := 19 ¢ (skip < x = 4% & magic)) 

(x := % 2 (skip < ¢ = % > magic)) ) 


JI t=% P 
magic 
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a Law (23) 
(skip < true > magic) (skip <i false > magic) 


Jd t= P 

magic 

= calculus 
skip 1 magic 

Jd @t%=%x% Pe 

magic 

= Law (11) 


skip < % = 1% > magic 


= definition of coercion 


(x = 1%) 


= definition 


S. 


For Claim (54), we start by observing that if y: X then the assignment 
x := y is total and hence by Law (13) 


r:= ys magic = magic. (55) 
Thus 


(a := a [1 @ := 2) ¢ magic 


Law (8) 


(a := % g magic) [1 (x := 2 g magic) 
= Claim (55) and M idempotent 


magic. 


Now we observe 
Rs (SUT) 
= definition and Claim (52) 
(z = 1%) 3 (t@:= % M12 := 2%) g magic 


= just established 
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(z = 2%) g magic 

= definition of coercion 
(skip < x = 1 > magic) g magic 

= Laws (20), (12), (13) 
magic < x = 179 > magic 

= calculus 


magic. 


Having established the three claims we infer the strict inclusion sought 
by comparing Claims (53) and (54). 

The result of this section may be re-phrased: any attempt to define an 
involution on R(X) by structural induction over commands leads to incon- 
sistency unless at least one of the properties (a) to (c) is violated. In the 
following three sections we consider weaker alternatives to an involution by 
weakening our requirements and being guided by semantic considerations. 


6 Complement 


To begin our quest for ‘weak involutions’ on R(X), the most obvious a 
priori choice seems to lie with some form of set-theoretic complement on 
the grounds that it satisfies the De Morgan laws, interchanging unions (i.e. 
demonic nondeterminism) and intersections (i.e. angelic nondeterminism). 

On inspection we are confronted with two alternatives. Before mak- 
ing the result healthy we could complement with respect to all states (i.e. 
including L) or with respect to just proper states (7.e. excluding L). The 
former operation we call ‘complement’ and investigate in this section; the 
latter we call ‘proper complement’ and investigate in the next. We shall see 
that both are severely restricted compared with involution on transformers. 

The complement of a relation r: X,<X_ is defined to be the relation 
7: X,X, that is the complement of r in X, xX, , made healthy: 


——— h.((X x X_) \ r) : 


Simple examples show that both |-closure and upclosure are necessary in 
order for complement to be well-defined on R(X), the object of our interest. 
An equivalent definition is 7 = h.((XxX_,)\1r). 
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Complement shares only a few of the properties of involution on T(X) 
because it is so severe. Indeed translated to computational terms, the fol- 
lowing result shows that if, from an initial state, a command is either not 
enabled or terminating then its complement diverges there; whilst if the 
command diverges then its complement is not enabled. So from any initial 
state the complement is either not enabled or divergent. 


Theorem 4 The complement of a relation is healthy: for any relation r 
on X,, FT: R(X). In particular, complement is well defined on R(X). 
Furthermore, for any r:R(X) and any «:X , 


Tale le er eee Ae ae Ne 


Proof: By definition 7 is both strict and upclosed, and hence in R(X). 

We observe that if r is healthy and xr L then r.(| x |) = X,, hence 
r.( a |) = {} and so the first part of the dichotomy holds. For the second 
part, if =(ar L) then L¢ r.(xz]) and so Le 7.( x |) which by healthiness 
means 7.(/z|) = X_,. 


By having at most two outcomes from each initial state, complement 
identifies quite different computations. As a result it satisfies its laws really 
by default: 


Corollary 2. 1. For any r:R(X), 7 Cr and for any 4: X, 
rie) Hane ar ee peaa fh or Ars 


2. For any r,s:R(X), 


rCs implies TDS and T 
Also id|X] 1 = X|xXX,. 
3. For any subset E of R(X), VUE=NE and NE =UVE. In particular 


{t, = Xxx, = (Xx) and AXLXX, = {hi 


4. For any predicate b on X and any 2: X , 
(dz) =X. aber (} and [O]de) = X. 
For any relations r and s on X, , 
fabops Drabes, 


Furthermore each containment (in 1, 2 and 4) may be strict. 
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Proof: 


1. We reason 


= previous theorem 


{at ged Ky. 

= 7 healthy 
{tarde )p=Xp be Xy 

= r healthy 
{}4r(erl)> X, 

= calculus 


Xi. apy Litt 


from which the claims follow. 


2. Co-monotonicity follows because complement is obtained by compos- 
ing the co-monotone function ‘set complement’ with the monotone 
function ‘healthy closure’. 


For sequential composition we reason 


re s.(jz)) 


previous theorem 
{Rete roe). Be Xi 
= definition of composition 


{i (ere Vv Gerba Gyrrn(2) + ysl) te xy 


= calculus 
{td (erl V dy:r.da)-ysl) p> X, 

> definition of complement 
{}d(r(z)={} V dy: rz) - sy ={}) > XL 

> set theory 
{} 4d (F(z)={F V Sy: Xi - sy) ={}) bX 


= definitions of composition and complement 


Fe s.r) 


In general the reverse inclusion does not hold, as shown by considering 
the relational semantics r = [skip] and s = [abort]: 


r ¢ s = [skip] ¢ [abort] = [abort] = [magic] 


whilst 


T ¢ § = [skip] ¢ [abort] = [abort] ¢ [magic] = [abort], 


which establishes 7 3's C 7 8. 


The calculation for the identity is routine. 
3. De Morgan’s laws, and hence the extreme cases, follow similarly. 


4. The first two claims result from routine calculation. Firstly 


HOH) 


= previous theorem 
{}<da[{b}] Lo xX, 

= e[{b}]L = bx 
Xi dba pe {}, 


and secondly 


1¢6)]-( 2) 


= previous theorem 
(} debe X. 

= a2 [(b)] L = false 
X.. 


For the third claim, for any 7: X_ , 


152 


(r tbs) 7) 

= definition of binary conditional 
Ta) <b se) 

= definition of complement 
{}arrlLe x,)dabaer({yarslp X,) 

> calculus 
{}d (ba Aarl)V (mba Aasl) > XxX, 

= definition of binary conditional 
1) Se rt Bee) do 4. 

= definition of complement 


(ra bb s).(z). 


To show the inclusion may be strict take, in the relational semantics, 
r = [skip] and s = [abort] so that the conditional is an assertion. 
So using the first claim, 


Fabes = {}, — whilst rates =] Xi a ber {}, 
hence 


FAbebs Crades. 


Thus complement happens to be sub-involutive on R(X ) , co-monotone, 
sub-distributes sequential composition, interchanges angelic and demonic 
nondeterminism, (hence) interchanging abort and magic, takes skip to 
magic, takes an assertion to a binary conditional between abort and magic, 
and takes a coercion to abort. However from the theorem we see that it 
identifies too many computations to be useful. 


7 Proper Complement 


The proper complement of arelation r : X,<X_ is defined to be the relation 
r:X,-X_ that is the complement of r in X xX , made healthy: 


mae NOS Ona 
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In fact only 1-closure is necessary there in order for proper complement 
to be well-defined on R(X), because proper complement loses information 
about divergence and so upclosure is redundant. 

We find, as a result, that proper complement identifies far fewer com- 
putations than does complement: the only behaviours that are identified 
are divergence and arbitrary terminating behaviour from some state (both, 
we shall see, being mapped to not enabled behaviour from that state). 


Theorem 5 For any relation r on X_, 
re): ==. ee LS OC Naan 
In particular, proper complement is well defined on R(X). 


Proof: The first identity follows by definition and well-definedness follows 
from it immediately. 

Proper complement is sub-involutive, r C r, is contained in comple- 
ment, is co-monotone, satisfies De Morgan’s laws over nonempty sets, and 
takes not enabled behaviour to arbitrary termination. 


Corollary 3 1. For any relation r on X, and any «:X_, 
r(@z) = (A. 4ae=Le xXxNr(2)). 
Hence proper complement is sub-involutive: r Cr. 


2. Proper complement is contained in complement: for any relation r on 
Xi » e Ps 


3. For any relations r and s on X_ 
rCs implies rDs. 
But in general re s #1 8s, and in particular, id[X], A {}1.. 


4. For any set E of relations on X,, QE = VE, and if E is nonempty 
then UE =NE. In particular, 


{hi = (XxX) and Mie Ky SL a RX yp 


154 


5. For any predicate b on X and any 1: X , in the relational semantics, 


[{o}].dcz)) = [meq < b> magic].(z)) 


[(>)].dz) = [meq <b & choose].(|z)) . 


and for any relations r and s on X, , 


ribps =rdadodes. 


Furthermore each containment (in 1, 2 and 3) may be strict. 
Proof: 


1. We reason 


previous theorem 
X,de=1 > (X\r.(2)) 

= previous theorem and calculus 
Xide=l > (X\(X\r.(2))) 


set theory 


D, Gig cies ew na oe UO a (Rd | 


Therefore 
r= CGR eX) i OE 


The claimed sub-involutivity follows. Routine verification shows that 
the relational semantics of the commands choose and abort have the 
same proper complement, so strict inclusion may hold. 


2. We reason from elementary set theory: 


true 


> 
XxX C XxX, 


> calculus 
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> h monotone 


= definitions 


Strictness follows by taking, for example, r = XxX, so that the 
left-hand side is {1} X, and the right-hand side is Xx X_,. 


3. Antimonotonicity follows as in the previous corollary. 


However proper complement fails to distribute sequential composition, 


Pe Sor e's; (56) 


even weakly (i.e. in one direction). A simple example demonstrating 
that in general no inclusion holds between those two sides is obtained 
by considering state space X = {0,1} and commands skip and neq 
(recall that the latter chooses a final state different from the initial 
state; we are concerned only with state space having more than one 
element). Their relational semantics are, respectively, 


r 


[skip] = {(0, 0), (1, 1)}a 
[neq] ms {(0, 1), (d, O) FL 


which are proper complements. We infer that 


s 


rgs=s3=T and. hes = se SVs 


so the two sides of (56) are nonempty and disjoint on proper states. 


It also follows that 
id[X], = [neq] # id[X],. 


4. For a nonempty set EF of relations we reason 


definition of proper complement 
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h.((X xX) \ UE) 

= calculus and R nonempty 
h(A{(XxX)\r| re Ey) 

= h distributes intersections 
A{h.((XxX)\r)| re B} 

= definition of proper complement 
irl re B} 

= notation 


NE. 


Taking E = { } we find 


Uf} 
= definition of proper complement 


h.((X x X)\UL}) 


= calculus 
WAX) 

= definition of h 
(XOX i. 

> calculus 
X, xX X 1 

= calculus 
{rl re {tt 

= definition 


At}. 


The dual OE =UE follows similarly but there is no need for the 
restriction to nonempty sets since, if R = { }, 


nt} 


definition of proper complement 
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h.(X x X)\ Nth) 


calculus 


h.((X x X)\ (X1 x X1)) 


h.({ }) 


aoe 


Uir| re {}} 


OTs 


5. We reason 


[oi]-de) 


calculus 


definition of h 


calculus 


definition 


characterisation of proper complement 
(X \ [{o}]-(2)) 
definition of assertion 
(X \ ({z} <a bz > X1)) 


calculus 


((X \ {z}) J ba & {f) 


definitions of relational semantics and (4) 


[neq <d b D> magic].(x)), 


and similarly for coercion. 


For the last part 


(rab be she 


) 


definition of binary conditional 


r.(z) < ba > s.( a) 
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= definition of proper complement 
(Mi Be ee) 

0. 

Xi. 4a 2=1 >(X\s.(e))) 


= calculus 
X.d eal p((X\rQz)) 4 be bo (X\s.qz)) 

— definition of binary conditional 
APA Sloe XV rehab bole) 


= definition of proper complement 


(rd bb s).(a). 


8 Galois Star 


The previous two complement-based attempts at defining an involution on 
R(X) satisfied too few laws to be of use, because they failed to preserve 
important computational distinctions. 

An alternative weak involution may be defined by translating to rela- 
tions the involution on transformers, using the Galois connection of section 
4. Accordingly we define the Galois star of a relation r: X,;=X_ to be the 
relation r}: X, OX, , 


ri = rp.((wp.r)*). 


Theorem 6 Galois star is well defined on R(X): indeed for any relation 
ron X,, r' € R(X). Furthermore for any proper state y , 
arly = c=LvVr.dz) C {y}. 


Proof: Galois star is the composition of three functions, the last of whose 
range lies in R(X), and so the first claim follows. 
For the second claim we argue routinely that, if z, y: X_, then 


griy 


= definition of Galois star 
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x (rp.(wp.r)*) y 


definition of rp 
z= V Vq:pred.X - (wp.r)*.q.c > q-y 
= definition of wp and calculus 


g=l V Vq:pred.X -(Vw:X -agwVaaerw)V qy 


= calculus 
g=l VVw:X -rrw=> (Vq¢:pred.X - gw > ¢q.y) 

= calculus 
Sal VVuex ere = wSsy) 

= calculus 


gal Wore) edgy: 


As aresult, r'.(/a |) is severely constrained: it can be empty, a singleton 
or all of X,. In particular we are already able to see the extent to which 
Galois star ' retains the switching of demonic and angelic nondeterminism, 
exhibited by the transformer involution *. Indeed a command P exhibits 
demonic nondeterminism or diverges at (proper state) x iff, in the relational 
semantics, there is no y for which [P].( 2 |) C {y}; which holds iff ¢ ¢ 
dom.[P]'; which holds iff [P]' is not enabled at 2. More precisely, we 
have: 


Corollary 4 1. For any relation r on X,, rUDr. 


2. For any relations r and s on X_, 


3. For any subset E of relations on X_ , 
(UE)' =NET and (NE)t DUET. 
In particular, 


{fil=XxX_ and (X_xX jt ={}, = (XxX), jt. 
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4. For any predicate b on X , 
[{O}]" = [(b)]} and [5p] = [{}], 
and for any relations r and s on X_, 
(rdbps)i = rlagodost. 


Furthermore the containments in Parts 1 and 3 may be strict. 


Proof: 


1. Iterating the characterisation of the theorem we find 


arly = g=LvVV2:X,- re) C{z}> (z=). 


Evidently if « r y then that condition holds, and so r' D ras required. 


Routine calculation shows that Galois star is not injective and so not 


involutive; a particular strict containment is: 
(XxX). = (X,xX,1) Dd (XxX),. 
2. For co-monotonicity we reason 


py 
> 
wWp.T > wp.s 


Law 


Law 


Law 


34) 


29) 


35) 


= definition of Galois star 


For sequential composition we reason using simple properties 
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— definition of Galois star 


= Law 
rp.((wp.r o wp.s)*) 

_ Law 
rp.((wp.r)* o (wp.s)*) 

_ Law 


rp.((wp.r)*) § rp.((wp.s)*) 


38) 


27) 


40) 


= definition of Galois star 


He St 


Let us continue to write id|X], for the healthy identity relation on 
X, but also id[T] for the identity predicate transformer. Then for the 


last subclaim we reason 


= definition of Galois star 


= Law 
rp.(id[T |*) 

= Law 
rp.(id{T]) 

= Law 
id[X |. 


39) 


28) 


41) 


3. For any subset FE of relations on X_ we reason for the first identity as 


follows. 


(UE)! 


= definition of Galois star 
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rp.((wp. U E)*) 


= Law (46) 
rp.((A{wp.r | r © B})*) 

= Law (30) 
rp. V{(wp.r)* | re E} 

= Law (42) 


N{rp.((wp.r)*) | re EB} 

= definition of Galois star 
Mri | re Et 

= definition 


Et. 


For the refinement we reason 


UEt 

= definition of Galois star 
U{rp.((wp.r)*) | r € E} 

rp. \{(wp.r)* |r € E} 
= Law (30) 
rp.((V{wp.r |r € E})*) 
Cc Laws (35), (49) 
rp.((wp.{r |r € E})*) 

= definition 
rp.((wp. 1 E)*) 

= definition of Galois star 


(NE)*. 


A simple example showing that the De Morgan containment may be 
strict, is obtained by taking state space X = {0,1} and the relational 
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semantics of assignments 
r [z := 0] {(z,0)| xe xX}, 
s et] {(z,1)|xeEx},, 


so that rNs ={},,r'=randst=s. Thus 
(rms)i = X,xX, D rUs = rtust. 
The first extreme case is the vacuous case of the first De Morgan iden- 


tity. Since the second does not follow from the De Morgan contain- 
ment just proved, we calculate (the remaining equality being similar), 


(X. Lx xX i) 
= definition of Galois star 


rp.(wp.(X_xX_)*) 


= Law (47) 
rp.( false*) 

= Law (26) 
rp.true 

= Law (44) 


{}i- 


4. The arguments for assertions and coercions are similar so we present 
just one. Choosing to reason from first principles in the relational 
semantics we have, for any proper states zx, y, 


x [{O}]" y 

= definition of Galois star 
xrp.((wp.[{b$])*) y 

= definitions of rp, wp, assertion, involution and calculus 
Vq:pred.X - ((b.a4 => q.z) \(q# false)) > q.y 


= calculus 


ba A (e=y) 
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= relational semantics, Figure 5 


#[(o)]y- 


For binary conditional we reason from the two algebraic representa- 


tions: 
(ra bbs) 
= Law (22) 
([(b)] sr U [(-0)] 3 8)" 
= Part 3 
([(6)] 3 r)' 9 ([(b)] 3 5) 
= Part 2 
([(8)]" 3 rt) 9 (Ad) 3 st) 


= previous sub-part of 4 
[tod srt 9 [{-b}] 3 st 

= Law (21) 
ri'dbdest, 


Thus Galois star is sup-involutive and co-monotone, obeys just one 
of the De Morgan laws between angelic and demonic nondeterminism, and 
half the other. Vitally it distributes sequential composition and binary 
conditional, preserves skip, interchanges assertions and coercions, and in 
particular the trivial cases of both De Morgan laws hold: it interchanges 
abort and magic. 


9 Applications 


Dijkstra and Scholten [6] prove, from their axioms for predicate calculus, 
that in the transformer semantics the property of being predeterministic 
is preserved by (general) conditional with pairwise disjoint guards and by 
iteration. Maddux [13] infers the same results in the transformer semantics 
(and the analogous result for sequential composition) from the relational 
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semantics and Tarski’s axiomatisation of the calculus of relations due to 
Boole, De Morgan, Peirce and Schroder. 

Here we extend the treatment to include commands as well as code. 
Concentrating on just the conditional, we provide proofs in the relational 
semantics that are moderately compelling because they resemble Boolean- 
algebra proofs by exploiting weak inversion in the shape of Galois star. 
And we compare those proofs with straight algebraic proofs that require 
results about co-atomicity under refinement, reflecting our earlier algebraic 
formalisation of notions related to determinism in Section 3.2. 


9.1 Algebraic Approach 
The result for binary conditional, proved algebraically, is as follows. 


Theorem 7 /f 6 is a predicate on state space and commands P and Q are 
deterministic [predeterministic, postdeterministic] then so too is the binary 
conditional PA be Q. 


Proof: We expand a coerced binary conditional 
(cx =m) 3 (P< b> Q) 
= definition of coercion and Laws (20), (7) 
(P< bb Q)<d t=% D> magic 
= calculus 


(P< b.u > Q)d c=2% Db magic. 


From this the claims follow. For example if P and Q are enabled at 29 
then so too is the coerced binary conditional since either b.zg or not; and if 
the coerced binary conditional is strictly refined by R then at 2 either P 
or Q is strictly refined by R and so R is magic. 

However that result does not extend to (general) conditionals, of which 
it suffices here to consider the following special case. Recall that for pred- 
icates a and 6 on state space and commands P and Q, the conditional 
if a — P [| 6 > Q fi aborts unless either a or b holds; if just a holds it 
behaves like P; if just 6 holds it behaves like Q; and if both hold it be- 
haves (demonic) nondeterministically like either P or Q. Conditional can 
be defined, without having to define guarded commands, by extending Law 
(21) (rather than its successor): 


ifa>P[Jb>Qfi = ({a}s P)U({b}s Q). (57) 
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We say that a and 6 are disjoint iff their conjunction is false. Then 
if a and b are not disjoint and P and Q are deterministic [postdeterminis- 
tic], the conditional is not deterministic [postdeterministic] at some states. 
Nonetheless the previous theorem generalises from binary conditionals to 
conditionals in the following result, whose proof extends that of the previ- 
ous theorem. 


Theorem 8 /f a and 6 are disjoint predicates on state space and P and 
Q are predeterministic commands then so too is the conditional command 
ifa-P |b-Q fi. 


Proof: | Now the coerced conditional is expanded one step further since 
a and b need not be complementary: 
({a}g PU {b}3 Q) <a r=2% D> magic 
= as before 
((P < a B abort) U (Q< 6 bP abort)) d c= > magic 
= calculus, using disjointness 
(P< a.m &(Q< b.ag Db abort)) << «= % Db magic 
and the desired results follow from that. For example if P and Q are 
enabled at x then so too is the coerced conditional, by case analysis; and if 


the coerced conditional is strictly refined by R then either P or Q is strictly 
refined by R at xz; and so the conditional is co-atomic. 


9.2 Relational Approach 


In this section we use Galois star to provide proofs in the relational se- 
mantics that share with Boolean algebra the use of (weak) inversion. The 
observation that enables us to do so is Law (62): 


Theorem 9 Let P be a command. In the relational semantics, at an arbi- 
trary state x, 


P is postdeterministic = [P]'.( a) 2D [P].(z) (58) 

P is enabled = [P]'.(r) C[P].2) (59) 

P is deterministic = [P]'.(2) = [P].(2) (60) 

P is post or pre deterministic = [P]''.(x) C [P].(2) (61) 
P is predeterministic = ({P]' U[P]').(2) ¢ [P].(2) (62) 


Proof: Write r = [P] in the relational semantics. 
For Equivalence (58), we have 


'(a) 2 r.(z) 
riz) r(x 
= definition of relational image 


Vy:X,-ary > erly 


= + theorem 
Vy:X,- ary => rz) Cty} 

= calculus 
r.dz)={} V #r.(c)=1 

= definitions 


P not enabled or deterministic at x. 


For Equivalence (59), 
rida) Cra) 


definition of relational image and } theorem 
Vy:X,- rz) Cf{y} > ery 


= calculus 


= 
i 


Larry 


definition 


P enabled at x. 


Equivalence (60) is an immediate consequence of the first two. 

For (61), the usual calculations show implication from left to right. 
Assuming now the inclusion on the right, recall that r''.( 2 |) can only be 
empty, singleton or all of X,. The first case yields nothing; the second case 
yields r.( a |) a singleton (because if it were larger then rt.) z |) would be 
empty and so r''.(a |) would be all of X_, a contradiction); and the third 
case yields r'.(2|) = X, =r.(2)). In the first case P is not enabled at 2; 
in the second case P is deterministic at x; and in the third case P aborts 
at x. Thus P is postdeterministic or predeterministic at x. 

Finally (62) follows from (59) and (61), with the observation that P is 
predeterministic iff it is enabled and either postdeterministic or predeter- 
ministic. 


168 


The last theorem of the previous section can now be proved using weak 
inversion in the guise of (62). For convenience we again write r = [P] and 
s = [Q] in the relational semantics and abbreviate the conditional as iffi. 
Proof: As before, we start by using disjointness to infer 


[iff].(c) = ra) 4d aa b(s.(z) < b.4 & [abort].(2)). 
Thus, reasoning to establish (62), 
[if]. ) U [ih]. ) 


= previous inference 


(r.(jz) 4d aa > (s.(z) < ba & [abort].(2z)))i 


(r.(jz) 4d aa b> (s.(z) <a b.2 & [abort].(z)))' 
-_ Parts 4, 3 of t corollary and calculus 


(rit. (c) Urt.q2) 


(s.(a) Ust.(z)) 4d b.2 b> [abort].(z)) 


IN 


assumption on r and s 
r.jz) <a aa b (s.(2|) 4d b.4 > fabort].(2)) 


= notation 


[iffi].(/x)), 


as required. 

The theorem of the previous section, for binary conditional, can be 
established by similar techniques (as can the appropriate determinism of 
other combinators). 


10 Conclusion 


This paper has promoted the use of algebra—of combinators in the program 
and command calculi—to express properties, and reason about them, in 
situations where semantic reasoning is more usual (e.g. termination). That 
has enabled us to extend certain definitions from programs to commands, 
and reason in a uniform way about both (e.g. in Section 9). The approach 
is continued in [19]. 
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But our explicit target has been the extent to which the structurally- 
important and well-behaved involution on predicate transformers carries 
over to binary relations. After showing that the relational structure is not 
consistent with an involution, two ‘weak’ involutions are considered but 
discarded as being too weak in the sense that they fail to distinguish too 
many computations. A third involution—still weak but better behaved than 
the others—is defined by translating the transformer involution using the 
weakest-precondition Galois connection between relations and transformers. 
That weak involution, Galois star, is shown to be just strong enough to 
facilitate algebraic reasoning in a simple benchmark situation: preservation 
of forms of determinism (but generalised from programs to commands). The 
conclusion is that Galois star does afford the kind of reasoning with which 
we are familiar from Boolean algebra, even though it is inevitably doomed 
to be weaker. 
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